The security landscape continues to evolve, as does global uncertainty, leaving CISOs to prepare for turbulence ahead. Our latest report, Top Recommendations For Your Security Program, 2025, provides timely guidance for security leaders as they navigate another precarious year for their roles, programs, and organizations.
We’ve included four of our 12 recommendations in this blog as a starter pack for what CISOs will deal with in 2025 and, most importantly, what they should do about it. Our recommendations for 2025 fall into four main themes:
- The changing consequences of the CISO role
- Changing technology across the enterprise and in cybersecurity
- Ever-present yet changing threats
- Securing emerging tech
We design our insights to help technology leaders, chief information officers, and chief information security officers (CISOs) and their teams stay ahead of the curve and more effectively advocate for their programs.
Deal With Changing Consequences: Cover Stakeholders, Reduce Risk
For the past four years, we’ve been advising CISOs to link three groups of external stakeholders to their programs and budgets. Customers, cyberinsurance carriers, and regulators represent revenue won or lost, tie security to the cost of doing business, and should be an integral part of program planning in 2025 and beyond.
Recommendation: Conduct a materiality tabletop exercise. With the SEC’s Item 1.05 of Form 8-K requiring companies to disclose the material impact of cybersecurity incidents, it’s crucial for CISOs to prepare. Conducting a materiality tabletop exercise with senior executives and counsel helps form an understanding of the processes and decision points needed to determine incident materiality. This proactive approach ensures that your team is ready to disclose incidents appropriately, avoiding civil penalties.
Deal With Changing Technology: Make Plans For (Or Against) Platformization
As tools, technologies, products, and services consolidate and compete for the biggest share of your security tech stack and the market hurtles toward behemoth proactive and reactive security platform players — in some cases, both — CISOs shouldn’t necessarily match the frenetic pace of the market with platform adoption. Not all platforms make sense for your program and organization, but some may provide benefits exceeding those of point solutions.
Recommendation: Reduce your SIEM bill with data pipeline management. Data pipeline management (DPM) tools help reduce data ingest costs and facilitate easier migration to new platforms. By adopting DPM tools, security teams can manage data more efficiently, reducing costs and improving their overall data management strategy.
Deal With Changing Threats: Address Geopolitical Issues
The current geopolitical climate leaves CISOs with the duty and responsibility to protect their organizations or risk becoming collateral — or direct — damage as governments posture against one another. With trade breakdowns fraying already fragile supply chains and nations vying for AI dominance, focus your defensive efforts to stay nimble and ready to meet new demands placed on your program.
Recommendation: Prepare for cryptoagility as a prerequisite for post-quantum security. Quantum computing poses a significant threat to traditional cryptography. CISOs must start preparing for post-quantum security by assessing the impact of quantum computing and ensuring that their systems are cryptoagile. This involves discovering and prioritizing data, keys, and algorithms that need to be updated to quantum-safe cryptography.
Deal With Emerging Technology: Keep Your Eyes On The Horizon
These technologies should be on the radar of your emerging technology team and security architects, because things will happen quickly once they arrive. Prepare now for what happens as 2025 progresses and we move into 2026.
Recommendation: Grow machine identity governance. Machine identities are proliferating, and securing them is crucial. CISOs should build an inventory of machine identities and implement a purpose-built machine identity management solution. This will help prevent unauthorized access and reduce the risk of data breaches.
For a deeper dive into these insights and more, read the full report, Top Recommendations For Your Security Program, 2025, and register for our webinar on Wednesday, April 16 at 11 a.m. ET. Forrester clients can also schedule an inquiry or guidance session to discuss our recommendations and how they apply to your organization.
